The latest research by Spectrum shows, Python ranked number one programming language this year.
The python core code is secure, but third-party modules, the way you have developed an application may not be, and that’s why you need a security scanner to find vulnerabilities if any. There are many comprehensive online security scanners to test for online threats, but they may not be able to detect platform specific weakness like Python, Node.js. etc.
Let’s take a look at the following scanner to find security risk in Python application.
PYT (Python Taint)
An open source static analysis tool to detect command injection, cross-site scripting, SQL injection, directory transversal attacks in Python web applications.
Bandit is an Open Stack’s initiative to find common security risk in python code. It processes each file to build AST and generate a report.
You can get it installed using pip.
The usage of Bandit can be customized. For an ex, by default test is done against all the profile, however, if you want to check just ShellInjection then you can try below.
bandit samples/*.py -p ShellInjection
You may also instruct to report based on severity (Low, Medium or High) level.
Pyntch support only Python 2.x, a static code analyzer to detect possible runtime error. It’s not exactly to find risk but will be useful to see runtime exception which can leak sensitive information sometimes.
It’s fast and capable of scanning thousands of lines in a minute.
A python based open-source scanner on finding misconfiguration, insecure files and supporting web frameworks like CherryPy, CakePHP, etc.
Spaghetti is capable of discovering various attacks including the following.
- Brute force
- Credit card, email, IP disclosure
- HTML/SQL/LDAP/XPATH/XSS injection
- ShellShock, Crime, Struts-shock
- Anonymous cipher
RATS (Rough Auditing Tools for Security)
RATS perform a rough analysis of Python, PHP, Perl, C++ code and highlight security related errors like below.
- Time of Check
- Time of Use
- Buffer overflows
A comprehensive vulnerability scanning platform to test network & web applications. Acunetix checks your website for more than 5000 vulnerabilities and provides a detailed report with remediation guidelines.
If your Python web application is exposed to the Internet and looking for in-depth security analysis, then give a try to Acunetix.
Not a scanner but Requires.io monitor Python dependencies security and notify you when found outdated or vulnerable.
You can configure to get notified by adding badges, email or GitHub pull.
A python dependencies checker, Safety can scan the local virtual environment, requirements file, stdin inputs for security issues.
I hope the above-listed tools help you to find security risk in Python application.